Registration and authentication in the android application

Question:

I ask for advice on the next question. You need to implement registration and authorization in the android application. I am planning to do REST in PHP. I see all this in the following form:

  1. The user is registered by sending us a username and password. We write it to the database and generate a unique token for authorization without a username and password.
  2. We get the token in the android application and save it in SharedPreferences.
  3. For subsequent communication with the server, we use a token to identify the user.

If the user clicks "Exit" in the application, we delete the token from the application and on the server. Upon re-authorization, we will generate a new token and save it in the phone (for subsequent identification on the server).

In this case, the tokens will not have an expiration date. That is, the token will be valid until the user exits the application (or re-authorizes).

I would like to hear opinions about such a scheme. Maybe there are more graceful (safer) ways to accomplish a similar task?

Answer:

I would like to hear opinions about such a scheme. Maybe there are more graceful (safer) ways to accomplish a similar task?

This is not the most suitable place to exchange opinions.

Essentially the question: it would be nice if the token had an expiration date, since then security is lost.

Well, it would be nice to have two tokens: access token & refresh token.

Here you can find more information about tokens and their use.

Scroll to Top